Add patch to fix integer overflows.

Resolves: RHEL-40650

0001-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch

@@ -0,0 +1,109 @@
+From 6b98423e19a68b182cd50e3c640f9828b025818b Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Wed, 10 Apr 2024 17:01:10 -0700
+Subject: [PATCH 1/3] Fix integer overflows in calc of stride_in_bytes
+
+A port of the libaom CL
+https://aomedia-review.googlesource.com/c/aom/+/188761.
+
+Fix unsigned integer overflows in the calculation of stride_in_bytes in
+img_alloc_helper() when d_w is huge.
+
+Change the type of stride_in_bytes from unsigned int to int because it
+will be assigned to img->stride[VPX_PLANE_Y], which is of the int type.
+
+Test:
+. ../libvpx/tools/set_analyzer_env.sh integer
+../libvpx/configure --enable-debug --disable-optimizations
+make -j
+./test_libvpx --gtest_filter=VpxImageTest.VpxImgAllocHugeWidth
+
+Bug: chromium:332382766
+Change-Id: I3b39d78f61c7255e10cbf72ba2f4975425a05a82
+---
+ vpx/src/vpx_image.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index af7c529a7..a01aab29c 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -20,9 +20,9 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt,
+                                      unsigned int buf_align,
+                                      unsigned int stride_align,
+                                      unsigned char *img_data) {
+-  unsigned int h, w, s, xcs, ycs, bps;
+-  unsigned int stride_in_bytes;
+-  int align;
++  unsigned int h, w, xcs, ycs, bps;
++  uint64_t s;
++  int stride_in_bytes, align;
+ 
+   /* Treat align==0 like align==1 */
+   if (!buf_align) buf_align = 1;
+@@ -92,9 +92,11 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt,
+    * and height shouldn't be adjusted. */
+   w = d_w;
+   h = d_h;
+-  s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+-  s = (s + stride_align - 1) & ~(stride_align - 1);
+-  stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++  s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
++  s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
++  s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++  if (s > INT_MAX) goto fail;
++  stride_in_bytes = (int)s;
+ 
+   /* Allocate the new image */
+   if (!img) {
+@@ -117,9 +119,11 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt,
+     align = (1 << ycs) - 1;
+     h = (d_h + align) & ~align;
+ 
+-    s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+-    s = (s + stride_align - 1) & ~(stride_align - 1);
+-    stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++    s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
++    s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
++    s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++    if (s > INT_MAX) goto fail;
++    stride_in_bytes = (int)s;
+     alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
+                                             : (uint64_t)h * s;
+ 
+@@ -185,18 +189,19 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
+       if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
+         img->planes[VPX_PLANE_ALPHA] =
+             data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA];
+-        data += img->h * img->stride[VPX_PLANE_ALPHA];
++        data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA];
+       }
+ 
+       img->planes[VPX_PLANE_Y] =
+           data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y];
+-      data += img->h * img->stride[VPX_PLANE_Y];
++      data += (size_t)img->h * img->stride[VPX_PLANE_Y];
+ 
+       if (!(img->fmt & VPX_IMG_FMT_UV_FLIP)) {
+         img->planes[VPX_PLANE_U] =
+             data + (x >> img->x_chroma_shift) * bytes_per_sample +
+             (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+-        data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
++        data +=
++            (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+         img->planes[VPX_PLANE_V] =
+             data + (x >> img->x_chroma_shift) * bytes_per_sample +
+             (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+@@ -204,7 +209,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
+         img->planes[VPX_PLANE_V] =
+             data + (x >> img->x_chroma_shift) * bytes_per_sample +
+             (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+-        data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
++        data +=
++            (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+         img->planes[VPX_PLANE_U] =
+             data + (x >> img->x_chroma_shift) * bytes_per_sample +
+             (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+-- 
+2.45.2
+

0002-Apply-stride_align-to-byte-count-not-pixel-count.patch

@@ -0,0 +1,34 @@
+From f8472f581ed1b4dd0d205efdec72e43742f579fb Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Thu, 11 Apr 2024 16:38:45 -0700
+Subject: [PATCH 2/3] Apply stride_align to byte count, not pixel count
+
+A port of the libaom CL
+https://aomedia-review.googlesource.com/c/aom/+/188962.
+
+stride_align is documented to be the "alignment, in bytes, of each row
+in the image (stride)."
+
+Change-Id: I2184b50dc3607611f47719319fa5adb3adcef2fd
+(cherry picked from commit 7d37ffacc6f7c45554b48ca867be4223248f1ed6)
+---
+ vpx/src/vpx_image.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index a01aab29c..0c84562ae 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -93,8 +93,8 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt,
+   w = d_w;
+   h = d_h;
+   s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+-  s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+   s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++  s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+   if (s > INT_MAX) goto fail;
+   stride_in_bytes = (int)s;
+ 
+-- 
+2.45.2
+

0003-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch

@@ -0,0 +1,46 @@
+From 0a68a93729ab879251ad63f833a327d20dbbbc23 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Fri, 12 Apr 2024 15:48:04 -0700
+Subject: [PATCH 3/3] Fix a bug in alloc_size for high bit depths
+
+I introduced this bug in commit 2e32276:
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333
+
+I changed the line
+
+  stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+
+to three lines:
+
+  s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+  if (s > INT_MAX) goto fail;
+  stride_in_bytes = (int)s;
+
+But I didn't realize that `s` is used later in the calculation of
+alloc_size.
+
+As a quick fix, undo the effect of s * 2 for high bit depths after `s`
+has been assigned to stride_in_bytes.
+
+Bug: chromium:332382766
+Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c
+(cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3)
+---
+ vpx/src/vpx_image.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index 0c84562ae..38d4c1ce3 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -97,6 +97,7 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt,
+   s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+   if (s > INT_MAX) goto fail;
+   stride_in_bytes = (int)s;
++  s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s;
+ 
+   /* Allocate the new image */
+   if (!img) {
+-- 
+2.45.2
+

libvpx.spec

@@ -6,7 +6,7 @@
 Name:			libvpx
 Summary:		VP8/VP9 Video Codec SDK
 Version:		1.7.0
-Release:		10%{?dist}
+Release:		11%{?dist}
 License:		BSD
 Group:			System Environment/Libraries
 #Source0:		http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2
@@ -27,6 +27,9 @@ Patch3:			0003-CVE-2019-9371-update-libwebm.patch
 Patch4:			0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch
 Patch5:			0001-Fix-bug-with-smaller-width-bigger-size.patch
 Patch6:			0001-VP8-disallow-thread-count-changes.patch
+Patch7:			0001-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
+Patch8:			0002-Apply-stride_align-to-byte-count-not-pixel-count.patch
+Patch9:			0003-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
 
 %description
 libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications 
@@ -60,6 +63,9 @@ and decoder.
 %patch4 -p1 -b .0004
 %patch5 -p1 -b .0005
 %patch6 -p1 -b .0006
+%patch7 -p1 -b .0007
+%patch8 -p1 -b .0008
+%patch9 -p1 -b .0009
 
 %build
 %ifarch %{ix86}
@@ -249,6 +255,10 @@ rm -rf %{buildroot}%{_prefix}/src
 %{_bindir}/*
 
 %changelog
+* Fri Jul 5 2024 Wim Taymans <wtaymans@redhat.com> - 1.7.0-11
+- Add patch to fix integer overflows.
+- Resolves: RHEL-40650
+
 * Thu Oct 5 2023 Wim Taymans <wtaymans@redhat.com> - 1.7.0-10
 - Add patch for CVE-2023-5217
 - Resolves: RHEL-10612